On the heels of Yahoo!’s recent announcement of upcoming updates for the Messenger platform, certain bad guys are already taking this chance to release their own, malicious versions of Yahoo! Messenger.
While doing my research, I encountered this particular file (detected by Trend Micro as TROJ_ADCLICK.TNH), which looks like a legitimate Yahoo! Messenger executable.
However, when I checked its file properties, I found that it is actually an AutoIt compiled file.
Once users download and execute this file which is saved as C:\Program Files\Yahoo Messenger.exe, the malware checks if an Internet connection is available by pinging Google. If it returns any value not equal to 0, it proceeds to checking the user’s existing Internet browser(s).
Once a browser is found, it connects to the websites http://{BLOCKED}ly/2JiIW and http://{BLOCKED}bd.linkbucks.com, as seen below:
But this threat doesn’t stop there. According to my colleague Arabelle Ebora, these sites further redirect users to other webpages. Some of these pages even result to several, almost endless redirections.
From the looks of it, this scheme looks like a classic click fraud. By connecting to these sites, which are pay-per-click sites, the malware generates a “visit” that translates into profit for the site owners and/or the malware author.
As mentioned, the people behind this threat is attempting to piggyback on Yahoo!’s recent announcement to reach out to as many users are possible. Unfortunately, this social engineering tactic has been proven effective, such as in the case of fake keygen applications for Windows 8 and malicious versions of Bad Piggies.
To stay safe from these threats, users must be cautious when visiting sites or downloading files from the Internet. For better protection, users should bookmark trusted sites and refrain from visiting unknown pages. Cybercriminals and other bad guys on the Internet are good at crafting their schemes to make them more appealing to ordinary users. Thus, it pays to know more about social engineering tactics and what makes them work.
Trend Micro Smart Protection NetworkT protects users by detecting this malware, if found in a user system and also blocks access to the related websites.
With additional inputs by Arabelle Ebora
Leave a reply
